Skip to main content

vchkrcpt.sh - my kick butt script for vpopmail

This script is for those who have build a qmail+vpopmail server (including qmr and some of the other distributions).

This script also requires the vchkrcpt patch, which you may need to mangle to work with your config.  It seems that this patch fell through the cracks and didn't get into most of the main distributions.  It is a terrible shame, because almost all default qmail setups have a severe security issue:  they accept all email for a domain, and if an account doesn't exist, they bounce it later.  This is terrible, what with the age of SpamCop and other "spam trap" and realtime black hole lists out there. 

Ponder this batman:  Somebody spams you at your domain with a bad recipient address like not_there@yourcompany.com and forges the sender to be some spamtrap like qazwsx123@spamcop.net.  If your server accepts all mail for "yourcompany.com" and then bounces it later, then it will accept this message.  It will then generate a bounce message, which it sends to the forged email address.  In this scenario, somebody else spammed you, but you sent email to a spam trap, which often automatically blacklists your mail server.  nice, huh...

SO... the point of that little bunny trail is that you shouldn't accept email when it is addressed to a non-existant mailbox.  Thats where vchkrcpt comes in.  Patch your qmail so you can use it (not covered here), and once you can support it, use my script.

And here it is in all its goodness and tested wonder.  Quick warranty and disclaimer:  don't be dumb.  edit this for your server and tested it on a non-production server.  If you don't do these things, its nobody's fault but your own for crashing your mail server.

#!/bin/bash

#

# Andrew's kick-ass chkrcpt script for qmail+vpopmail

# Author: aschwabe@gmail.com

#

# This script makes qmail check for the existance of a user before email is accepted.

# Will check vpopmail accounts, and look for .qmail* files to determine real accounts.

# Logs all checks in the /var/log/maillog, and then refers to it to throttle spammers.

set -- $RECIPIENT

set -- $SENDER

MY_TEST=""

#echo `whoami`

if [ "$RECIPIENT" == "" ]; then

    # uncomment these lines and the "echo" lines throughout to test at the command line

    #echo "sender:"

    #read SENDER

    #echo "recipient:"

    #read RECIPIENT

    exit 100

fi

# email sender addresses explicitly allowed:

allowed[1]="override@yourcompany.comiexp.com"

for index in 1 2

do

  if [ "$SENDER" == "${allowed[index]}" ]; then

        /usr/bin/logger -p mail.info -t vchkrcpt "mail from <$SENDER> to <$RECIPIENT> : ok (sender explicitly allowed: ${allowed[index]})"

        exit 0

  fi

done

USERPART=`echo "$RECIPIENT" |cut -d@ -f1`

DOMAIN=`echo "$RECIPIENT" |cut -d@ -f2`

# We reject any emails with more than one @ sign

THIRDPART=`echo "$RECIPIENT" |cut -d@ -f3`

if [ "$THIRDPART" != "" ]; then

  #echo "Invalid username - multiple or no @ signs"

  /usr/bin/logger -p mail.info -t vchkrcpt "mail from <$SENDER> to <$RECIPIENT> : illegal username"

  exit 100

fi

# We reject any emails with ! in the name

EXCL_CHECK=`echo $USERPART |grep '!' >/dev/null 2>&1; echo $?|grep "1" > /dev/null 2>&1 ; echo $?`

if [ "$EXCL_CHECK" == "1" ]; then

  #echo "Invalid username"

  /usr/bin/logger -p mail.info -t vchkrcpt "mail from <$SENDER> to <$RECIPIENT> : illegal username"

  exit 100

fi

# We reject any emails with a percent sign in the name

PERCENT_CHECK=`echo $USERPART |grep '%' >/dev/null 2>&1; echo $?|grep "1" > /dev/null 2>&1 ; echo $?`

if [ "$PERCENT_CHECK" == "1" ]; then

  #echo "Invalid username"

  /usr/bin/logger -p mail.info -t vchkrcpt "mail from <$SENDER> to <$RECIPIENT> : illegal username"

  exit 100

fi

# We reject if this sender has had 3 or more bad recipients recently

if [ "$SENDER" != "" ]; then

    SPAMMER_CHECK=`tail -n300 /var/log/maillog|grep vchkrcpt|grep $SENDER |grep 'bounce-no-mailbox'|wc -l`

    #echo 'result of spammer check:'

    #echo $SPAMMER_CHECK

    if [ "$SPAMMER_CHECK" -gt "2" ]; then

        #echo "Too many invalid recipients.  Mail will not be accepted."

        /usr/bin/logger -p mail.info -t vchkrcpt "mail from <$SENDER> to <$RECIPIENT> : spammer=bounce-no-mailbox"

        exit 100

    fi

fi

# check for valid account

MY_TEST=`/home/vpopmail/bin/vuserinfo -d $RECIPIENT |/usr/bin/head -n1`

if [ "$MY_TEST" == "" ] || [ "${MY_TEST:0:7}" == "no such" ]; then

  # it wasn't a real pop user, so check if its an alias

  MY_TEST=`/home/vpopmail/bin/valias $RECIPIENT|/usr/bin/head -n1`

  # if the address has a dash in it, re-build a default alias address

  USER_ALIAS_CHECK=`echo $USERPART |grep '\-' >/dev/null 2>&1; echo $?|grep "1" > /dev/null 2>&1 ; echo $?`

  if [ "$USER_ALIAS_CHECK" == "1" ]; then

    ALIAS_USERPART=`echo $USERPART | cut -d - -f1`

    ALIAS_USERPART=$ALIAS_USERPART"-default"

    ALIAS_RECIPIENT=$ALIAS_USERPART"@"$DOMAIN

    MY_TEST2=`/home/vpopmail/bin/valias $ALIAS_RECIPIENT|/usr/bin/head -n1`

  else

    MY_TEST2=""

  fi

  if [ "$MY_TEST" != "" ]; then

    # this is a valid alias

    #echo "valid alias"

    /usr/bin/logger -p mail.info -t vchkrcpt "mail from <$SENDER> to <$RECIPIENT> : alias ok"

    exit 0

  elif [ "$MY_TEST2" != "" ]; then

    # this is a valid user alias

    #echo "valid user-alias"

    /usr/bin/logger -p mail.info -t vchkrcpt "mail from <$SENDER> to <$RECIPIENT> : user-alias ok"

    exit 0

  else

    # look for a .qmail-default file, and see it if has a real account in it

    DEFAULT_RECIPIENT="default@"$DOMAIN

    #echo "default recipient = $DEFAULT_RECIPIENT"

    DEFAULT_BOUNCE=`/home/vpopmail/bin/valias $DEFAULT_RECIPIENT | /usr/bin/head -n1|grep bounce-no-mailbox \

        >/dev/null 2>&1; echo $? |grep "1" > /dev/null 2>&1 ; echo $?`

    #echo "DEFAULT_BOUNCE result = $DEFAULT_BOUNCE"

    if [ "$DEFAULT_BOUNCE" == "1" ]; then

      #echo ".qmail-default = bounce"

      #echo "invalid recipient"

      /usr/bin/logger -p mail.info -t vchkrcpt "mail from <$SENDER> to <$RECIPIENT> : catchall=bounce-no-mailbox"

      exit 100

    fi

    DEFAULT_DELETE=`/home/vpopmail/bin/valias $DEFAULT_RECIPIENT | /usr/bin/head -n1|grep ' delete' \

        >/dev/null 2>&1; echo $? |grep "1" > /dev/null 2>&1 ; echo $?`

    #echo "DEFAULT_DELETE result = $DEFAULT_DELETE"

    if [ "$DEFAULT_DELETE" == "1" ]; then

      #echo ".qmail-default = delete"

      #echo "invalid recipient"

      /usr/bin/logger -p mail.info -t vchkrcpt "mail from <$SENDER> to <$RECIPIENT> : catchall=delete"

      exit 100

    fi

    MY_TEST=`/home/vpopmail/bin/valias $DEFAULT_RECIPIENT | /usr/bin/head -n1`

    #echo "ALIAS DEFAULT result = $MY_TEST"

    if [ "$MY_TEST" == "" ]; then

      #echo "invalid recipient (no default alias)"

      /usr/bin/logger -p mail.info -t vchkrcpt "mail from <$SENDER> to <$RECIPIENT> : catchall=none"

      exit 100

    else

      #echo "valid recipient (.qmail-default)"

      /usr/bin/logger -p mail.info -t vchkrcpt "mail from <$SENDER> to <$RECIPIENT> : catchall=ok"

      exit 0

    fi

  fi

else

  #echo "valid mailbox"

  /usr/bin/logger -p mail.info -t vchkrcpt "mail from <$SENDER> to <$RECIPIENT> : account ok"

  exit 0

fi

 

Popular posts from this blog

Installing python 3.4.x on OSX El Capitan

I love "brew" package manager, but sometimes being too progressive breaks things.  I have several python apps that I maintain that get deployed to AWS using Elastic Beanstalk.  AWS eb can deploy with python 2.7 or 3.4.  Any recent 'brew install python3" will get 3.5.1. #annoying

Making Macbook Air with 128GB SSD usable with Bootcamp

I recently got a new Macbook Air 11" (the 2012 version) and loaded it with goodies like 8GB ram and 2GHz Core i7.  What I DIDN'T upgrade was the internal SSD.  My config came with 128GB SSD and I refused to pay $300+ to upgrade it to 256GB.  Yeah I know, some call me cheap, but SSds cost $75-$150 for 240GB, so adding another 128GB for $300 seemed way too steep for me.  I figured "ok, I'm going to make 128G work!"

Here is the story of how that went...

Getting Started with OpenVAS on CentOS - an open source vulnerability scanner

The Open Vulnerability Assessment System (OpenVAS) is a framework of several services and tools offering a comprehensive and powerful vulnerability scanning and vulnerability management solution. (Taken from the OpenVAS website, which is at http://www.openvas.org/ )





This blog entry will introduce OpenVAS version 3.1, walk through installation on CentOS and is intended as a "getting started" guide. I'll also do a guide for installing on Ubuntu later.